This "Audit Booklet" is one of several booklets that comprise
the Federal Financial Institutions Examination Council (FFIEC)
Information Technology Examination Handbook (IT Handbook) and
provides guidance to examiners and financial institutions on the
characteristics of an effective information technology (IT) audit
function.This booklet uses the terms
"institution" and "financial institution" to describe insured
banks, thrifts, and credit unions, as well as technology service
providers that provide services to such entities. This
booklet replaces and rescinds Chapter 8 of the 1996 FFIEC
Information Systems Examination Handbook. It should beused by
examiners of the FFIEC member agenciesBoard
of Governors of the Federal Reserve System (Federal Reserve Board),
Federal Deposit Insurance Corporation (FDIC), National Credit Union
Administration (NCUA), Office of the Comptroller of the Currency
(OCC), and Office of Thrift Supervision (OTS). as a
foundation from which they can assess the quality and effectiveness
of an institution's IT audit program. It describes the roles and
responsibilities of the board of directors, management, and
internal or external auditors; identifies effective practices for
IT audit programs; and details examination objectives and
procedures. Agency examiners will use the examination procedures in
Appendix A to assess the adequacy of IT audit programs at both
financial institutions and technology service providers.The
examination guidance and procedures in this booklet focus on IT
audit and supplement other, more general, internal and external
audit guidance provided by the FFIEC agencies.These include the "Interagency Policy Statement on
the Internal Audit Function and Its Outsourcing," March 17, 2003;
"Interagency Policy Statement on External Auditing Programs of
Banks and Savings Associations," September 22, 1999; and
"Interagency Policy Statement on Coordination and Communication
Between External Auditors and Examiners," July 23, 1992.

A well-planned, properly structured audit program is essential
to evaluate risk management practices, internal control systems,and
compliance with corporate policies concerning IT-related risks at
institutions of every size and complexity. Effective audit programs
are risk-focused, promote sound IT controls, ensure the timely
resolution of audit deficiencies, and inform the board of directors
of the effectiveness of risk management practices. An effective IT
audit function may also reduce the time examiners spend reviewing
areas of the institution during examinations. Ideally, the audit
program would consist of a full-time, continuous program of
internal audit coupled with a well-planned external auditing
program.

The financial industry must plan, manage, and monitor rapidly
changing technologies to enable it to deliver and support new
products, services, and delivery channels. The rate of these
changes and the resulting increased reliance on technology make the
inclusion of IT audit coverage essential to an effective over all
audit program. The audit program should address IT risk exposures
throughout the institution, including the areas of IT management
and strategic planning, data center operations, client/server
architecture, local and wide-area networks, telecommunications,
physical and information security, electronic banking, systems
development, and business continuity planning. IT audit should also
focus on how management determines the risk exposure from its
operations and controls or mitigates that risk.

To determine what risks exist, management should prepare an
independent assessment of the institution's risk exposure and the
quality of the internal controls associated with the development,
acquisition, implementation, and use of information technology. An
institution's IT audit function can provide this independent
assessment within the context of the overall audit function and can
include work performed by both internal and external auditors and
by other independent third parties as appropriate for the
institution's complexity and level of internal expertise. The FFIEC
member agencies believe that a strong internal auditing function
combined with a well-planned external auditing function
substantially increase the probability that an institution will
detect potentially serious technology-related problems. An
effective IT audit program should:

Identify areas of greatest IT risk exposure to the institution
in order to focus audit resources;

Promote the confidentiality, integrity, and availability of
information systems;

Determine the effectiveness of management's planning and
oversight of IT activities;

Evaluate the adequacy of operating processes and internal
controls;

Determine the adequacy of enterprise-wide compliance efforts
related to IT policies and internal control procedures; and

The examiner is responsible for evaluating the effectiveness of
the IT audit function in meeting these objectives. The examiner
should also consider the institution's ability to promptly detect
and report significant risks to the board of directors and senior
management. Examiners should take into account the institution's
size, complexity, and overall risk profile when performing this and
other evaluations. Examiners should consider the following issues
when evaluating the IT audit function:

Independence of the audit function and its reporting
relationship to the board of directors or its audit committee;

Expertise and size of the audit staff relative to the IT
environment;

Identification of the IT audit universe, risk assessment,
scope, and frequency of IT audits;

Processes in place to ensure timely tracking and resolution of
reported weaknesses; and

Documentation of IT audits, including work papers, audit
reports, and follow-up.